cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Windows Hello for business queries

Aroh Shukla
Iron Contributor

‎Jul 30 2021 01:46 AM

‎Jul 30 2021 01:46 AM

Windows Hello for business queries

 

Hello All,

I’m a complete newbie in Microsoft 365 security and need some guidance for a client who is look has Windows Hello for business queries.

 

  1. Client has Hybrid setup.
  2. They want to On-board  to Windows Hello for Business.
  3. They looking for Pilot roll out of 20 or 100 users on Windows Hello for Business.
  4. Active Directory Federation Service in place.

    Queries   

  5. What does it mean by key trust and certificate trust?
    Question: Could any key differences between key trust and certificate trust:

    I just tried use Microsoft docs to understand but cant figure out differences
    1. Key trust -
      https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-...

      Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests.

    2. Certificate trust -

      Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.

       The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.

      https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...

  6. For hybrid deployment, do we have to check if the client can meet the full list of requirements in the table?
    Question: Does the client fits the hybrid deployment requirements?

    Windows Hello for Business Deployment Prerequisite Overview - Microsoft 365 Security | Microsoft Doc...

    ArohShukla_0-1627634696107.png

     

Any help would be highly appreciated.  

1,607 Views
0 Likes
3 Replies
Reply
3 Replies
Aroh Shukla

‎Aug 01 2021 06:29 PM - edited ‎Aug 01 2021 06:35 PM

‎Aug 01 2021 06:29 PM - edited ‎Aug 01 2021 06:35 PM

Re: Windows Hello for business queries

Can somebody reply to my query? I will be grateful

 

@Ryan Heffernan  @Kartik Kanakasabesan 

0 Likes
Reply
best response confirmed by Trevor_Rusher (Community Manager)
R_Gijsbers_Rademakers

‎Aug 02 2021 02:47 AM

‎Aug 02 2021 02:47 AM

Solution

Re: Windows Hello for business queries

@Aroh Shukla 

I would recommend you to start here: Planning a Windows Hello for Business Deployment - Microsoft 365 Security | Microsoft Docs. If you follow that guide, you should be able to answer your clients questions.

 

To quickly point out your specific questions, the difference between key trust and certificate trust are as follows:

 

A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.

  • The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for... to learn more.
  • The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires Windows Server 2016 or later Active Directory schema). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.

Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.

 

One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).

 

Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.

 

If your organization wants to use the key trust type, write key trust in box 1b on your planning worksheet. Write Windows Server 2016 in box 4d. Write N/A in box 5b.

 

If your organization wants to use the certificate trust type, write certificate trust in box 1b on your planning worksheet. Write Windows Server 2008 R2 or later in box 4d. In box 5c, write smart card logon under the Template Name column and write users under the Issued To column on your planning worksheet.

 

SourcePlanning a Windows Hello for Business Deployment - Microsoft 365 Security | Microsoft Docs

 

If your client fits the hybrid deployment requirements, depends on the trust type you choose. 

1 Like
Reply
Aroh Shukla

‎Aug 05 2021 01:04 AM

‎Aug 05 2021 01:04 AM

Re: Windows Hello for business queries

Thanks a million R_Gijsbers_Rademakers for your reply.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Trevor_Rusher (Community Manager)
R_Gijsbers_Rademakers

‎Aug 02 2021 02:47 AM

‎Aug 02 2021 02:47 AM

Solution

Re: Windows Hello for business queries

@Aroh Shukla 

I would recommend you to start here: Planning a Windows Hello for Business Deployment - Microsoft 365 Security | Microsoft Docs. If you follow that guide, you should be able to answer your clients questions.

 

To quickly point out your specific questions, the difference between key trust and certificate trust are as follows:

 

A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.

  • The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for... to learn more.
  • The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires Windows Server 2016 or later Active Directory schema). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.

Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.

 

One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).

 

Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.

 

If your organization wants to use the key trust type, write key trust in box 1b on your planning worksheet. Write Windows Server 2016 in box 4d. Write N/A in box 5b.

 

If your organization wants to use the certificate trust type, write certificate trust in box 1b on your planning worksheet. Write Windows Server 2008 R2 or later in box 4d. In box 5c, write smart card logon under the Template Name column and write users under the Issued To column on your planning worksheet.

 

SourcePlanning a Windows Hello for Business Deployment - Microsoft 365 Security | Microsoft Docs

 

If your client fits the hybrid deployment requirements, depends on the trust type you choose. 

View solution in original post

1 Like
Reply